Académique Documents
Professionnel Documents
Culture Documents
The Government of Nova Scotia provides a wide range of services to the citizens of
Nova Scotia that require a secure IT infrastructure. Many of the computer systems
supporting these services use the Wide Area Network (WAN) to transmit sensitive
information such as government financial transactions, personnel and payroll records,
and proprietary corporate data. The Government of Nova Scotia is committed to
protecting the integrity, confidentiality, and availability of its information systems, the
sensitive information these systems handle, and the privacy of citizens information,
while providing for efficient and effective management of this information.
Definitions
For the purposes of this policy, the WAN is defined to include all lines and devices
used to terminate data communication services from a service provider. The WAN
may also be referred to as the Provincial Data Network in various service provider
agreements and other contracts signed with vendors. WAN devices may include
hubs, routers, switches, wireless devices, or other devices. The Security Authority
determines whether devices are classified as WAN or not. In this definition, personal
computers, file servers, printers, or other Local Area Network (LAN) devices are not
generally classified as part of the WAN. (See illustration on following page).
CORPORATE NETWORK
For the purposes of this policy, the Corporate Network includes the WAN, as defined
above, as well as LANs including file servers, personal computers, printers, and
other computing or data communications devices that are used by any department,
office, agency, board, or commission within the Government of Nova Scotia. Any
other connected organization is considered an External Entity requiring specific
authorization to connect and access the Corporate Network and is required to abide
by the WAN Security Policy and Standards, including any revisions, while connected.
This definition of the Corporate Network is intentionally broad in scope to provide
clear authority boundaries for those charged with its security. (See illustration on
following page).
Additional terms used in the body of this policy are defined in the glossary.
Page 1 of 14
Policy Objectives
Page 2 of 14
Application
Policy Directives
Policy directives are the minimum mandatory requirements that shall be met by
Corporate Network connected Client Organizations and External Entities.
1. IDENTIFICATION/AUTHENTICATION
a) All accounts, user IDs and devices in the Corporate Network shall be uniquely
identifiable.
b) IT systems within the Corporate Network shall authenticate all users, applications
and devices except for those designed specifically for anonymous access. These
exceptions require the approval of the Security Authority.
2. ACCESS CONTROLS/AUTHORIZATION
a) All access points to the WAN shall be approved by the Security Authority.
b) All physical and logical connections to the WAN intended to provide access by
individuals or groups shall be approved by the Security Authority.
c) All WAN related address changes and configurations shall be approved by the
Security Authority.
d) Any individual, office, or network connected to the Corporate Network shall
require all employees to agree, through a signed or electronic agreement, to abide
by the requirements outlined in the WAN Security Policy and Standards.
e) Requests for access to the WAN for an external entity shall be done through the
sponsoring government body. The sponsor shall assume all responsibility for the
entity being sponsored.
Page 3 of 14
f) Personnel who have access to sensitive information or are responsible for critical
IT security functions such as network administrators and technical support staff
require security screening.
3. REMOTE ACCESS
a) Any remote access over untrusted networks shall use technology approved by
the Security Authority to secure, monitor, and filter traffic.
b) All remote access to the WAN shall be authenticated, logged, and restricted to
minimize the risk to WAN assets.
c) Infrastructure Service Management (ISM) of the Chief Information Office must
ensure that remote access involving the WAN is monitored to protect the WAN
security profile and confidentiality of sensitive information from unauthorized
access and disclosure.
d) Any device which permits user-controlled access to the Corporate Network,
such as a wireless modem, is not allowed except where permission is granted by
the Security Authority.
e) All access to the Corporate Network shall occur through approved paths.
f) All users who use WAN resources remotely shall agree, through signed or
electronic agreement, to abide by these requirements.
Page 4 of 14
6. CONTRACTORS
8. TIME SYNCHRONIZATION
a) All devices on the Corporate Network shall synchronize with a common central
time source.
a) The Security Authority shall take appropriate action, including termination of any
connection or activity, at any time where the Security Authority feels the security
of the WAN is or could be severely comprised. When circumstances permit, the
Security Authority shall consult with the application owner prior to taking action.
The Security Authority shall make a full report of the actions taken and the
reasons for such actions.
a) All planned, scheduled changes to the WAN (power up, power down,
configuration changes, and reset) shall be performed or authorized by the
Security Authority.
b) A change control process shall be used to assess the security impact of major
system upgrades and to support re-certification and accreditation. The change
control process shall ensure that all system configurations and modifications
are documented and retained in a secure environment for audit or future risk
management considerations.
Government of Nova Scotia
Page 5 of 14
a) Security risk management based upon due diligence and due care shall be the
primary basis to determine WAN security safeguards and residual risk, and to
maintain the accredited WAN security profile.
b) Re-assessments of the security profile shall take place if risk, system, or other
relevant technological or organizational changes occur.
c) Before implementation, all new systems as well as additions, deletions, or
alterations to existing systems shall be reviewed to ensure that the security
profile of the Corporate Network is not compromised by the change.
Page 6 of 14
a) The Security Authority shall monitor the WAN for performance and security
purposes.
b) Monitoring initiatives designed for the WAN shall operate within the legislated
requirements for protection of personal privacy.
c) Access or monitoring of LAN segments shall be in co-operation with network
administrators.
d) No person shall operate sniffers or other monitoring devices on the Corporate
Network without the prior knowledge of the Security Authority.
e) Corporate Network monitoring shall not involve reading data content unless it is
required in the performance of duties.
f) Where there is reason to believe that an individual is engaging in inappropriate
activity on the Corporate Network the content of individual files may be read.
This would only happen in an approved investigation by appropriate authorities.
g) Any investigation of data content shall be conducted in accordance with applicable
human rights, and any applicable provincial and federal legislation.
a) The Security Authority shall provide training to all ISM staff, Client Security
Officers or designates, and others as necessary on WAN Security Policy and
Standards including interpretation and application.
b) Client Organizations are responsible for the WAN Security training within their
organization, and for any External Entities sponsored by them, required to ensure
performance of the security responsibilities outlined in the WAN Security Policy
and Standards.
Page 7 of 14
Policy Guidelines
The Wide Area Network Security Standards, WAN Security Processes, and WAN
Security Intranet web site <http://wansp.gov.ns.ca> are supplements to this policy
providing interpretation, technical standards and best practices, and guidance on
implementation, risk, and compliance. These shall be amended from time to time as
necessary to keep current with changing technology and respond to new threats to
the WAN.
Accountabilities
The Deputy Minister/Head of each Client Organization is accountable for the overall
security of all information within their jurisdiction.
SECURITY AUTHORITY
The Security Authority is responsible for operational WAN security management and
directs the implementation of the WAN Security Policy and Standards in co-operation
with ISM, Client Security Officers or designates. The Security Authority evaluates and
responds to all requests related to WAN access, services and security.
A Client Security Officer or designate is the individual(s) assigned within each Client
Organization to carry out security requirements and communications for their Client
Organization and to work in co-operation with the Security Authority to ensure
compliance with the WAN Security Policy and Standards.
CLIENT ORGANIZATION
Page 8 of 14
EXTERNAL ENTITY
Managers and delegated staff, in addition to specific responsibilities cited above, shall
have other specific responsibilities for such WAN aspects as availability, network
upgrade and maintenance, security monitoring and incident reporting.
Organizations hosting WAN facilities such as routers, firewalls, wiring closets and
other related components shall ensure that physical protection of WAN assets meets
the WAN Security Policy and Standards.
The Security Policy Co-ordinator shall monitor WAN Security Policy implementation.
This responsibility includes evaluating the suitability and effectiveness of the policy and
standards. The Security Policy Co-ordinator shall co-ordinate any necessary remedial
action to address issues reported by the Security Authority in the annual WAN
security report. The Security Policy Co-ordinator shall also ensure that the policy and
standards are formally reviewed at least every two years.
SECURITY AUTHORITY
The Security Authority is responsible for monitoring the operational security of the
WAN ensuring that the established security profile is maintained and that changing
environments, potential threats, and evolving technology are addressed. The Security
Authority shall report annually to the Security Policy Co-ordinator on the WAN
security environment, identified issues and security incidents, and the effectiveness of
the WAN Security Policy.
ISM shall monitor compliance with the WAN Security Policy and Standards for all
IT systems within their jurisdiction. ISM shall notify the Security Authority and the
Security Policy Coordinator to request a policy review.
Government of Nova Scotia
Page 9 of 14
The Client Security Officer or designate shall monitor compliance with the WAN
Security Policy and standards for all IT systems within their jurisdiction. The Client
Security Officer or designate shall notify the Security Authority and the Security Policy
Coordinator to request a policy review.
References
Appendix
4-D
Glossary
Enquiries
Approval date:
April 1, 2002
Effective date:
October 1, 2004
Approved by:
Administrative update:
February 7, 2013
Page 10 of 14
Appendix 4-D
Glossary
ACCESS CONTROL
BASTION HOST
A server that is hardened against attack and can therefore be used as a critical
component of network security. Firewalls and screening routers are examples of
bastion hosts.
CERTIFICATION
CLIENT ORGANIZATION
See Accountabilities.
CONFIDENTIALITY
Page 11 of 14
CONTRACTOR
A third party involved in the direct management of the WAN or any part of it,
quite often under a WAN management or data communications, service agreement.
Contractors are required to abide by the WAN Security Policy and Standards.
CORPORATE NETWORK
See Definitions.
DUE CARE
DUE DILIGENCE
EXTERNAL ENTITY
See Accountabilities.
FIREWALL
MODEM (MODULAR-DEMODULATOR)
A device that converts digital signals used by computers and analogue signals used
by the telephone or related telecommunication system which enables computers to
communicate remotely. In the WAN Security Policy and Standards, a modem includes
any telecommunications device such as a dial-up modem, cable modem, dedicated line
modem, wireless device or digital subscriber line (DSL) device.
MONITOR
The activity to ensure that information and assets, or the safeguards protecting them,
are checked by security staff or electronic means with sufficient regularity to satisfy
the WAN Policy and Standards.
Page 12 of 14
SECURITY PROFILE
SECURITY AUTHORITY
See Accountabilities. All references to the Security Authority in this document means the
Security Authority or a delegate appointed by the Security Authority from time to time.
SECURITY INCIDENT
The process by which resources are planned, organized, directed and controlled to
ensure the risk of operating an IT system remains within acceptable bounds at optimal
cost.
SERVICE PROVIDER
A third party involved in the direct management of the WAN or any part of it, quite
often under a WAN management or data communications contract. Exceptions to the
WAN Security Policy and Standards, if applicable, shall be documented in the service
agreement.
TIME SYNCHRONIZATION
Process of insuring that all devices on the WAN have the same time to insure the
accuracy of records and logs.
THREAT
Any potential event or act that could cause one or more of the following to occur:
unauthorized disclosure, destruction, removal, modification or interruption of sensitive
information, assets, services, or injury to people. A threat may be deliberate or
accidental.
UNTRUSTED NETWORK
A network, such as the Internet, that has no basis for a user to have any confidence
and assurance in its inherent security.
Page 13 of 14
See Definitions.
Page 14 of 14